Worms Are True Parasites

Monday, November 28, 2005

Lesson IV - Worms Are True Parasites

When it comes to worms, there is a huge difference between those that slither in the soil underneath your feet and those that creep into your PC via its Internet connection. Although worms of the underground variety may damage crops and make your lawn look less than perfect, they are not likely to cause the type of mass destruction that worms of the computer variety can cause.

On a monthly basis, Central Command, an anti-virus software company, releases its Dirty Dozen list of the most dangerous malware (code created for malicious and/or illegal use) currently on the move. The list demonstrates the prevalence of worms: Of the 12 items listed, 10 are worms.

In another example of worms’ power, the Anna Kournikova worm of 2001 led many ISPs (Internet service providers) to shut down email service before the worm’s arrival in the United States. Nonetheless, as the worm propagated, forwarding copies of itself to everyone listed in each victim’s address book, it flooded servers, causing some to become much slower or shut down. The damage could have been much worse, though, had there not been such a fast warning about the spread of the worm in Europe.

How are worms capable of causing such destruction? In this article, we analyze this question and several others in an effort to help you better understand the power of worms.

Sunday, November 27, 2005

Dissecting Worms

Although commonly referred to as viruses, anti-virus software developers and others in the industry actually classify worms as a separate entity from viruses. A virus moves from file to file on one user’s system, remaining dormant in a file or the boot sector of a diskette until someone or something launches it or a victim accesses it; a worm copies itself and travels among computers over a network and/or uses email messages to transmit to other computers via the Internet.

A worm’s creator, for example, might program it to try using a string of IP (Internet Protocol) addresses until it finds another vulnerable system. In addition, maybe the worm’s creator programmed it to search an email program’s address book, make copies of itself, and forward itself to each of the email addresses it finds.

Some people also confuse worms with Trojan horses because the two types of malware often bundle together in a blended threat, a type of two-in-one malware.

Worms also differ from Trojan horses in that a Trojan horse, unless coupled with a worm, will not travel from computer to computer. A Trojan horse only causes damage when a user launches it, which usually occurs because the user believes it’s actually another type of program, such as a fun game.

All types of malware carry a payload, the content or code that causes the damage. In other words, a worm’s payload dictates what the worm will do to harm a system or network once it becomes active. The payload might be code that destroys specific files, alters web sites, or crashes a system.

Anti-virus software developers and other industry experts sometimes refer to two types of worms: active and passive.

Saturday, November 26, 2005

Active Worms

Active worms are especially dangerous because you may not even need to launch the worm in order for it to start replicating and unleashing its payload. It might be enough to simply open an infected email message. Yes, that’s right—you may not even need to open the attachment, just the email message itself. In fact, some worms can launch from the preview pane of email programs such as Microsoft Outlook or Outlook Express, even if you don’t double-click to open the message in a separate window.

The only way to halt an active worm is to install the proper patches needed to correct vulnerabilities in your software.

Friday, November 25, 2005

Passive Worms

A user must do something (generally open an email attachment containing the worm) before a passive worm becomes active. Obviously, a user probably wouldn’t launch a worm intentionally. So how, then, are passive worms unleashed? The answer is that a passive worm is really a Trojan horse with a worm contained in its payload. The user believes the Trojan horse is something other than what it really is.

Tempting users to open Trojan horses and other email attachments is known as social engineering. The goal is to create a ploy that will make most recipients open the Trojan horse and/or attachment. When working toward this type of goal, someone distributing a passive worm might ask himself, “What would make this attachment compelling enough to open?”

A passive worm with a good social engineering approach will trick many users into running the Trojan horse application, which might cause widespread damage. But if malware doesn’t have a sufficient social engineering edge, recipients will either not see a compelling reason to launch the attachment or be suspicious enough to view the attachment as some type of threat.

Thursday, November 24, 2005

Damage Assessment

Just how much damage do worms cause? The answer is that it varies, depending upon the design of the worm and the environment in which it is unleashed. Basically, the amount of harm a worm does relies on three factors: how likely the worm is to be activated, how likely it is to spread to other systems, and how destructive its payload is.

Let’s look closer at each of these factors. First, what influences how likely a worm is to become activated? In the case of a passive worm, its level of activation relies upon the quality of its social engineering, as we discussed in the previous section. In the case of an active worm, its level of activation depends upon the number of systems it encounters that have the vulnerability the worm needs to exploit.

The next factor is how likely the worm is to spread to other systems. This depends on chance and the way in which the worm’s code works. If a worm propagates by finding email addresses in recipients’ address books, how quickly it spreads depends upon the number of addresses users of infected systems store in their address books. If a worm propagates by trying to send itself to various IP addresses, how much it spreads depends on how many IP addresses it locates in which systems have the necessary vulnerability.

Finally, the amount of damage a worm does depends upon its payload. Worms contain at least one payload that lets the worm replicate. Frequently, however, worms carry a second payload: the code that directly causes damage.

Some worms cause damage simply through propagation. These worms send multiple copies of themselves through a system in a relatively short period of time, which might cause infected servers to slow down, or maybe even shut down. This is generally the case with a DoS (denial of service) attack.

Other worms not only cause damage through propagation, but also through the additional code they include. For instance, a worm might contain a payload that vandalizes web sites, forwards private files to other recipients, or damages files on recipients’ computers.

What is important to remember, however, is that a worm’s payload is only part of the equation. Even if a worm has a highly destructive payload, it will not cause widespread worldwide damage unless it also is widely activated and quickly propagated. Even if the payload could bring down huge servers, it will not cause any damage if it doesn’t find systems with the necessary vulnerabilities and the ability to efficiently propagate to other systems.

Wednesday, November 23, 2005

The Future of Worms

Worms will likely continue to become more advanced over time. A decade ago, no one would have imagined a worm such as Code Red could launch without any action on the part of the user.The Timofonica worm is a telling example of what the future might hold. This worm spreads among digital phone users, circulating a message targeted at a Spanish cellular phone company, Telefonica. Infected phones display the message (in Spanish), “Telefonica is deceiving you.”

Although this worm does very little physical damage, it does suggest that attacks against digital phones and PDAs (personal digital assistants) are probably an inevitable part of the near future. Such portable devices are a convenient and tempting target for attacks. After all, modern digital phone address books store more phone numbers and email addresses than they did in the past.

In addition, many of today’s digital phones are web-enabled, blurring the lines between the amount of damage a worm could do to a digital phone and the amount of damage a worm could do to a network. For example, a worm could infect digital phone and PDA content, digital phone signals, address books, and web servers.

Another thing we’ll likely see more of is the use of worms in advertising. For instance, the FriendGreetings.com Trojan horse’s payload includes a worm that sends spam (unsolicited mass-mailing advertisements) to everyone in a user’s address book.

Plus, Code Red demonstrated another type of power worms have: the ability to alter web content. If you consider all the possibilities this type of power could unleash, its potential damage can be rather frightening. For example, a hacker could in theory use a worm to target news-related web sites and alter the content of these sites to create panic with bogus news stories. Or a hacker working for a company might consider altering the web site of a competitor to falsely announce a major product recall. The consequences of such a recall could cause stockholders to frantically (and unnecessarily) sell shares of that company’s stock. And these are only a couple of scenarios—the possibilities are endless.

These are hypothetical situations, of course, but within the last few years, we’ve seen worms evolve in complexity at an astonishing rate. Just three years ago, we wouldn’t have worried about viewing an email message in a preview pane. In fact, we wouldn’t have even worried about opening an email message; it was only the suspect attachments we worried about. Today’s worms rank among the greatest of all Internet security risks and can propagate with little or no interaction on the part of the user.

Worms are likely to continue their assault on the Internet and seek new and unforeseen ways of slithering right past you—undetectable until you again download the most recent updates from your anti-virus software developer’s web site.